DEV Community

Shubham Chaudhary
Shubham Chaudhary

Posted on

The cd Command Every SOC Analyst Should Actually Master


*It's 2:47 AM and a SOC alert just fired
*

Unusual outbound traffic from a production server. No AI dashboard walking you through it — just a terminal and sixty seconds to figure out if this is a false positive or a live breach.

First move: cd /var/log. Second move: cd /tmp, because that's where attackers love to stage payloads — it's world-writable, and most people don't think twice about it.

If you've only ever thought of cd as "how you move around folders," it's worth a second look. In digital forensics and incident response, cd is literally how you trace an attacker's footprints through a compromised system — from an initial web shell drop, through privilege escalation artifacts, into log directories, and finally to whatever persistence mechanism they left behind.

A few cd patterns that actually matter in production/security work
cd - # jump back to your last directory instantly
cd /etc && pwd # navigate + confirm location in one line
[ -d /opt ] && cd /opt # only cd if the directory exists — critical for scripts run across inconsistent fleets
cd ~username # inspect a suspicious account's home directory (permissions allowing)

None of these are advanced. But under pressure, during a live incident, knowing them cold — instead of Googling syntax — is the difference between containing a breach in 20 minutes and still being lost in /usr/share an hour later while data walks out the door.

*Why this matters beyond the terminal
*

Attackers know the filesystem just as well as defenders do. /tmp, /var/tmp, and hidden files in user home directories are classic staging grounds — which is exactly why SOC teams build detection around directory activity (auditd rules, bash history correlation, EDR process-tree analysis) rather than just file-content scanning.

I wrote a full breakdown covering every cd command variation with real SOC context, a complete breach-investigation walkthrough, attacker tradecraft, and detection/hardening strategies — link at the top (canonical) and below if you want to go deeper:

🔗 https://www.xpert4cyber.com/2026/07/cd-command-linux-guide.html

Top comments (0)